GDB memory reads fail on Cortex-M33
Host environment
- Operating system: Fedora 36
- OS/kernel version: Linux dreiss-fedora-PC0MZ7A2 6.0.11-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Dec 2 20:38:11 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
- Architecture: x86_64 host, Arm cortex-m33 emulated
- QEMU flavor: qemu-system-arm
- QEMU version: QEMU emulator version 7.2.50 (v7.2.0-334-gca5181d8d7-dirty) (This is based on upstream git revision 222059a0 with some irrelevant local changes).
- QEMU command line:
-->
~/work/qemu/build/qemu-system-arm -machine mps2-an505 -nographic -kernel build/kernel.elf -s -S -d int
Emulated/Virtualized environment
- Operating system: Bare metal
- OS/kernel version: None
- Architecture: Arm Cortex M-33
Description of problem
GDB fails to read memory from the guest. There appear to be at least two problems:
- In
arm_cpu_get_phys_page_attrs_debug
,arm_is_secure(env)
returns false, because the implementation doesn't seem to know about Armv7-M or Armv8-M secure states. However,arm_mmu_idx(env)
does know how to checkenv->v7m.secure
, so it returnsARMMMUIdx_MSPriv
(the S stands for secure). The mismatch between an apparently non-secure access to a secure MMU seems to cause the read to fail laster. - With the MPU enabled (not the case in this repro, but I can provide one),
cpu_memory_rw_debug
computespage = addr & TARGET_PAGE_MASK
, and uses the page to compute permissions. However, TARGET_PAGE_MASK is based on 4K pages on this platform, but the MPU granularity is 32 bytes. So the wrong page is used for checking.
Steps to reproduce
# Sorry for the large clone. It's mostly unused files in CMSIS.
git clone --recursive -b qemu-repro-1 https://github.com/dreiss/mpu_experiments
cd mpu_experiments
git checkout origin/qemu-repro-1
cmake -S . -B build -DBOARD=qemu-mps2-an505 -DAPP=mpu_stacktrace -DCMAKE_BUILD_TYPE=Debug
cmake --build build
/path/to/qemu-system-arm -machine mps2-an505 -nographic -kernel build/kernel.elf -s -S -d int
# Open a separate terminal and cd into mpu_experiments
gdb build/kernel.elf -ex 'target remote :1234' -ex 'break base_case' -ex continue -ex backtrace -ex quit
# Note the memory read failures in the backtrace.